Breach of New EU Online Data Rules to Carry High Fines

(Reuters) - The European Commission proposed new online data privacy rules on Wednesday, putting more responsibility on companies to protect users' information, and said those who breach the code could be fined up to two percent of annual turnover.

After two years of examining the shifts in Internet use and the behavior of consumers using websites such as Facebook, Google and Yahoo!, the European commissioner in charge of data privacy, Viviane Reding, said she was determined to give individuals more control over their personal information.

The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data, Reding said.

A strong, clear and uniform legal framework at EU level will help to unleash the potential of the digital single market and foster economic growth, innovation and job creation.

The new rules, which have caused widespread concern among major technology and data companies, are expected to come into force at the end of 2013, once they have been approved by all EU member states and the European Parliament.

One of the more contested elements of the proposed legislation is what Reding has dubbed the right to be forgotten - effectively giving an individual the right to have all their data pulled from websites if they wish.

Access to a certain amount of personal data - and the digital trace that people leave after using the Internet for any length of time - is a critical element in the business model of companies such as Facebook and other social networking sites.

As well as causing consternation to those companies, arguments against the right to be forgotten have also come from historians and U.S. government authorities, who have argued that hugely valuable information that forms part of the historical record could be lost under the proposed laws.

After intense lobbying in recent months, Reding's department has watered down the proposal, removing a company's liability for not scrapping all of an applicant's data traces if it can be shown that a third party copied the data without knowledge.

And bloggers will not be subject to the new data rules if they are writing in a personal capacity - meaning they would not have the same obligation to remove all information if requested.

Some large online companies are more concerned about new guidelines on user consent - which would require companies to secure a user's formal approval to hold their data rather than assuming permission - rather than the prospect of fines.

Online publishers and other websites that closely track users' interests - such as Amazon - fear that such a rule will prevent them from providing customised content based on recurring themes - whether cooking or sports - in users' browsing sessions.

But the potential for fines is also causing consternation among major companies that use or depend upon data.

Originally Reding had wanted to fine companies a maximum of five percent of their annual global turnover for any breach of the rules. That has been scaled down to two percent, but is still a potentially vast figure.

For Google, for example, a breach of the rules could result in a fine of up to $800 million, based on expected full-year revenues in 2011.